From: Steven Rostedt It has been discovered that the remove_proc_entry has a race in the removing of entries in the proc file system that are siblings. There's no protection around the traversing and removing of elements that belong in the same subdirectory. This subdirectory list is protected in other areas by the BKL. So the BKL was at first used to protect this area too, but unfortunately, remove_proc_entry may be called with spinlocks held. The BKL may schedule, so this was not a solution. The final solution was to add a new global spin lock to protect this list, called proc_subdir_lock. This lock now protects the list in remove_proc_entry, and I also went around looking for other areas that this list is modified and added this protection there too. Care must be taken since these locations call several functions that may also schedule. Since I don't see any location that these functions that modify the subdirectory list are called by interrupts, the irqsave/restore versions of the spin lock was _not_ used. Signed-off-by: Steven Rostedt Signed-off-by: Andrew Morton --- fs/proc/generic.c | 32 +++++++++++++++++++++++++++++--- fs/proc/proc_devtree.c | 2 ++ include/linux/proc_fs.h | 3 +++ 3 files changed, 34 insertions(+), 3 deletions(-) diff -puN fs/proc/generic.c~protect-remove_proc_entry fs/proc/generic.c --- 25/fs/proc/generic.c~protect-remove_proc_entry Tue Jan 17 16:24:14 2006 +++ 25-akpm/fs/proc/generic.c Tue Jan 17 16:24:14 2006 @@ -19,6 +19,7 @@ #include #include #include +#include #include #include "internal.h" @@ -29,6 +30,8 @@ static ssize_t proc_file_write(struct fi size_t count, loff_t *ppos); static loff_t proc_file_lseek(struct file *, loff_t, int); +DEFINE_SPINLOCK(proc_subdir_lock); + int proc_match(int len, const char *name, struct proc_dir_entry *de) { if (de->namelen != len) @@ -277,7 +280,9 @@ static int xlate_proc_name(const char *n const char *cp = name, *next; struct proc_dir_entry *de; int len; + int rtn = 0; + spin_lock(&proc_subdir_lock); de = &proc_root; while (1) { next = strchr(cp, '/'); @@ -289,13 +294,17 @@ static int xlate_proc_name(const char *n if (proc_match(len, cp, de)) break; } - if (!de) - return -ENOENT; + if (!de) { + rtn = -ENOENT; + goto out; + } cp += len + 1; } *residual = cp; *ret = de; - return 0; +out: + spin_unlock(&proc_subdir_lock); + return rtn; } static DEFINE_IDR(proc_inum_idr); @@ -380,6 +389,7 @@ struct dentry *proc_lookup(struct inode int error = -ENOENT; lock_kernel(); + spin_lock(&proc_subdir_lock); de = PDE(dir); if (de) { for (de = de->subdir; de ; de = de->next) { @@ -388,12 +398,15 @@ struct dentry *proc_lookup(struct inode if (!memcmp(dentry->d_name.name, de->name, de->namelen)) { unsigned int ino = de->low_ino; + spin_unlock(&proc_subdir_lock); error = -EINVAL; inode = proc_get_inode(dir->i_sb, ino, de); + spin_lock(&proc_subdir_lock); break; } } } + spin_unlock(&proc_subdir_lock); unlock_kernel(); if (inode) { @@ -447,11 +460,13 @@ int proc_readdir(struct file * filp, filp->f_pos++; /* fall through */ default: + spin_lock(&proc_subdir_lock); de = de->subdir; i -= 2; for (;;) { if (!de) { ret = 1; + spin_unlock(&proc_subdir_lock); goto out; } if (!i) @@ -461,12 +476,16 @@ int proc_readdir(struct file * filp, } do { + /* filldir passes info to user space */ + spin_unlock(&proc_subdir_lock); if (filldir(dirent, de->name, de->namelen, filp->f_pos, de->low_ino, de->mode >> 12) < 0) goto out; + spin_lock(&proc_subdir_lock); filp->f_pos++; de = de->next; } while (de); + spin_unlock(&proc_subdir_lock); } ret = 1; out: unlock_kernel(); @@ -500,9 +519,13 @@ static int proc_register(struct proc_dir if (i == 0) return -EAGAIN; dp->low_ino = i; + + spin_lock(&proc_subdir_lock); dp->next = dir->subdir; dp->parent = dir; dir->subdir = dp; + spin_unlock(&proc_subdir_lock); + if (S_ISDIR(dp->mode)) { if (dp->proc_iops == NULL) { dp->proc_fops = &proc_dir_operations; @@ -694,6 +717,8 @@ void remove_proc_entry(const char *name, if (!parent && xlate_proc_name(name, &parent, &fn) != 0) goto out; len = strlen(fn); + + spin_lock(&proc_subdir_lock); for (p = &parent->subdir; *p; p=&(*p)->next ) { if (!proc_match(len, fn, *p)) continue; @@ -714,6 +739,7 @@ void remove_proc_entry(const char *name, } break; } + spin_unlock(&proc_subdir_lock); out: return; } diff -puN fs/proc/proc_devtree.c~protect-remove_proc_entry fs/proc/proc_devtree.c --- 25/fs/proc/proc_devtree.c~protect-remove_proc_entry Tue Jan 17 16:24:14 2006 +++ 25-akpm/fs/proc/proc_devtree.c Tue Jan 17 16:24:14 2006 @@ -136,9 +136,11 @@ void proc_device_tree_add_node(struct de * properties are quite unimportant for us though, thus we * simply "skip" them here, but we do have to check. */ + spin_lock(&proc_subdir_lock); for (ent = de->subdir; ent != NULL; ent = ent->next) if (!strcmp(ent->name, pp->name)) break; + spin_unlock(&proc_subdir_lock); if (ent != NULL) { printk(KERN_WARNING "device-tree: property \"%s\" name" " conflicts with node in %s\n", pp->name, diff -puN include/linux/proc_fs.h~protect-remove_proc_entry include/linux/proc_fs.h --- 25/include/linux/proc_fs.h~protect-remove_proc_entry Tue Jan 17 16:24:14 2006 +++ 25-akpm/include/linux/proc_fs.h Tue Jan 17 16:24:14 2006 @@ -4,6 +4,7 @@ #include #include #include +#include #include /* @@ -92,6 +93,8 @@ extern struct proc_dir_entry *proc_bus; extern struct proc_dir_entry *proc_root_driver; extern struct proc_dir_entry *proc_root_kcore; +extern spinlock_t proc_subdir_lock; + extern void proc_root_init(void); extern void proc_misc_init(void); _